#This file was created by Thu Jan 6 11:15:42 2000 #LyX 0.12 (C) 1995-1998 Matthias Ettrich and the LyX Team \lyxformat 2.15 \textclass article \language american \inputencoding latin1 \fontscheme default \graphics default \paperfontsize default \spacing single \papersize Default \paperpackage a4 \use_geometry 0 \use_amsmath 0 \paperorientation portrait \secnumdepth 3 \tocdepth 3 \paragraph_separation skip \defskip medskip \quotes_language english \quotes_times 2 \papercolumns 1 \papersides 2 \paperpagestyle default \layout Title \size huge msec \size default \noun on [Mandrake SECurity tools] \layout Author Camille Bégnis \layout Date 22/12/1999 \layout Standard \begin_inset LatexCommand \tableofcontents \end_inset \layout Section Introducing msec \layout Standard While Linux is being used for a very wide range of applications, from basic office work to high availability servers, came the need for different security levels. It is obvious that constraints inherent to highly secured servers do not match the needs of a secretary. In the other hand a big public server is more sensitive to malicious people than my isolated Linux box. \layout Standard It is in that aim that were designed the msec package. It is made of two parts: \layout Enumerate Scripts that modify the whole system to lead it to one of the six security levels provided with msec. These levels range from very poor security and ease of use, to paranoid config, suitable for very sensitive applications, managed by experts. \layout Enumerate Cron jobs, that will periodically check the integrity of the system upon security level configuration, and eventually detect and warn you of possible intrusion of the system or security leak. \layout Standard Note that the user may also define his own security level, adjusting parameters to his own needs. \layout Section Installation \layout Standard msec is a base rpm. That means that if you previously installed Linux-Mandrake, msec is already installed on your system. \layout Standard Installing the rpm will create a msec directory into /etc/security, containing all is needed to secure your system. \layout Standard Then just login as root and type \begin_inset Quotes erd \end_inset /usr/sbin/msec x \begin_inset Quotes erd \end_inset , x being the security level you want or \begin_inset Quotes eld \end_inset custom \begin_inset Quotes erd \end_inset to create your own security level. The script will begin to remove all modifications made by a previous security level change, and apply the features of the chosen security level to your system. If you choose \begin_inset Quotes eld \end_inset custom \begin_inset Quotes erd \end_inset , then you will be asked a series of questions for each security feature msec proposes. At the end, these features will be applied to your system. \layout Standard Note that whatever the level you chose, your configuration will be stored into \begin_inset Quotes eld \end_inset /etc/security/msec/security.conf \begin_inset Quotes erd \end_inset . \layout Subsection Level 0 \begin_inset Quotes eld \end_inset Welcome To Crackers \begin_inset Quotes erd \end_inset \layout Standard This level is to be used with care. It makes your system more easy to use, but very sensitive at the same time. In particular, you shouldn't use this security level if you answer yes to at least one of the following questions: \layout Itemize Is my computer connected to the Internet? \layout Itemize Is my computer connected to other computers by a network? \layout Itemize Does this computer will be used by someone else than me? \layout Itemize Is there some confidential stuff on my computer I don't want others have access? \layout Itemize I don't know Linux enough and I could harm it by myself? \layout Standard As we see, this security level shouldn't be set by default because it may result in big problems for your data. \layout Subsection Level 1 \begin_inset Quotes eld \end_inset Poor \begin_inset Quotes erd \end_inset \layout Standard The main security improvement compared with level 0 is that now, the access to one user's stuff is granted via user-name and password. So it may be used by various people, and it is less sensitive to bad maneuvers. However it shouldn't be used for a connected computer whether by modem or to a LAN (Local Area Network). \layout Subsection Level 2 \begin_inset Quotes eld \end_inset Low \begin_inset Quotes erd \end_inset \layout Standard Few improvements for this security level, the main one is that there are more security warnings and checks. It is more secure for multi-users use. \layout Subsection Level 3 \begin_inset Quotes erd \end_inset Medium \begin_inset Quotes erd \end_inset \layout Standard This is the standard security recommended for a computer that will be used to connect to the Internet as a client. Most of security checks are periodically run, specifically one that check for open ports on the system. However, these open ports are kept opened and access to them is granted to everyone. So this security level is not really suited for a system permanently connected to the Internet. \layout Standard From the user's point of view, the system is now a little bit more closed, so it'll need some basic knowledges of the Linux system to achieve some special operations. The security here offered is comparable with the one of a standard RedHat or previous Mandrake distribution. \layout Subsection Level 4 \begin_inset Quotes eld \end_inset High \begin_inset Quotes erd \end_inset \layout Standard With this security level, the use of this system as a server becomes possible. The security is now high enough to use the system as a server which accept connections from many clients. Connections from the computer itself only will be granted. Howether advanced services have been disabled, and the system administrator will have to activate the desired ones by hand in config files. He also will have to define from whom the access is granted. \layout Standard Security checks will warn system administrator of possible security holes or intrusions on the system. \layout Subsection Level 5 \begin_inset Quotes eld \end_inset Paranoid \begin_inset Quotes erd \end_inset \layout Standard We take level 4 features, but now the system is entirely closed. Security features are at their maximum. The system administrator has to activate ports, and grant connections to give other computers access to services offered by this machine. \layout Section Security levels features \layout Standard Follows the description of the different security features each level brings to the system. These features are of various types: \layout Itemize file permissions, \layout Itemize warnings dispatching, \layout Itemize periodicall security checks: \layout Quotation - on files: suid root, writable, unowned; \layout Quotation - listening ports: active, promiscuous; \layout Quotation - passwords files. \layout Itemize X display connections, \layout Itemize listening port check, \layout Itemize services available, \layout Itemize boot password, \layout Itemize authorized clients. \layout Standard \LyXTable multicol5 28 7 0 0 -1 -1 -1 -1 1 1 0 0 1 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 0 0 2 1 0 "50mm" "" 8 1 0 "" "" 8 1 0 "" "" 8 1 0 "" "" 8 1 0 "" "" 8 1 0 "" "" 8 1 1 "" "" 0 2 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 2 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 2 0 1 0 0 0 "" "" 0 2 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 2 0 1 0 0 0 "" "" 0 2 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" 0 8 0 1 0 0 0 "" "" \series bold \emph on Feature \backslash Security level \newline 0 \newline 1 \newline 2 \newline 3 \newline 4 \newline 5 \series default \emph toggle \newline Global security check \newline \newline * \newline * \newline * \newline * \newline * \newline umask users \newline 002 \newline 002 \newline 022 \newline 022 \newline 077 \newline 077 \newline umask root \newline 002 \newline 002 \newline 022 \newline 022 \newline 022 \newline 077 \newline shell without password \newline * \newline \newline \newline \newline \newline \newline authorized to connect to X display \newline all \newline local \newline local \newline none \newline none \newline none \newline User in audio group \newline * \newline * \newline * \newline \newline \newline \newline . in $PATH \newline * \newline * \newline \newline \newline \newline \newline Warning in /var/log/security.log \newline \newline * \newline * \newline * \newline * \newline * \newline Warning directly on tty \newline \newline \newline * \newline * \newline * \newline * \newline Warning in syslog \newline \newline \newline * \newline * \newline * \newline * \newline Warning sent by mail to root \newline \newline \newline * \newline * \newline * \newline * \newline Suid root file check \newline \newline \newline * \newline * \newline * \newline * \newline Suid root file md5sum check \newline \newline \newline * \newline * \newline * \newline * \newline Writable file check \newline \newline \newline * \newline * \newline * \newline * \newline Permissions check \newline \newline \newline \newline * \newline * \newline * \newline Suid group file check \newline \newline \newline \newline * \newline * \newline * \newline Unowned file check \newline \newline \newline \newline * \newline * \newline * \newline Promiscuous check \newline \newline \newline \newline * \newline * \newline * \newline Listening port check \newline \newline \newline \newline * \newline * \newline * \newline Passwd file integrity check \newline \newline \newline \newline * \newline * \newline * \newline Shadow file integrity check \newline \newline \newline \newline * \newline * \newline * \newline System security check every midnight \newline \newline \newline \newline * \newline * \newline * \newline All system events additionally logged to /dev/tty12 \newline \newline \newline \newline * \newline * \newline * \newline Only root can \begin_inset Quotes eld \end_inset ctrl-alt-del \begin_inset Quotes erd \end_inset \newline \newline \newline \newline \newline * \newline * \newline Services not known disabled \newline \newline \newline \newline \newline * \newline * \newline Boot password \newline \newline \newline \newline \newline * \newline * \newline Grant connection to \newline all \newline all \newline all \newline all \newline local \newline none \layout Standard Note that six out of the ten periodical checks can detect changes on the system. They store into files located in \begin_inset Quotes eld \end_inset /var/log/security/ \begin_inset Quotes erd \end_inset the configuration of the system during the last check (one day ago), and warn you of any changes occurred meanwhile. These checks are: \layout Itemize Suid root file check \layout Itemize Suid root file md5sum check \layout Itemize Writable file check \layout Itemize Suid group file check \layout Itemize Unowned file check \layout Itemize Listening port check \layout Subsection Global security check \layout Itemize NFS filesystems globally exported. This is regarded as insecure, as there is no restriction for who may mount these filesystems \layout Itemize NFS mounts with missing nosuid. These filesystems are exported without the \begin_inset Quotes eld \end_inset nosuid \begin_inset Quotes erd \end_inset option. \layout Itemize Host trusting files contains \begin_inset Quotes eld \end_inset + \begin_inset Quotes erd \end_inset sign. That means that one of the files \begin_inset Quotes eld \end_inset /etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd \begin_inset Quotes erd \end_inset is containing hosts which are allowed to connect without proper authentication. \layout Itemize Executables found in the aliases file. It issues a warning naming the executables run through files "/etc/aliases \begin_inset Quotes erd \end_inset and \begin_inset Quotes eld \end_inset /etc/postfix/aliases". \layout Subsection umask users \layout Standard Simply sets the umask for normal users to the value corresponding to the security level. \layout Subsection umask root \layout Standard The same but for the root. \layout Subsection shell without password \layout Standard Access to the consoles is granted without asking for a password. \layout Subsection authorized to connect to X display \layout Itemize all : Everybody from everywhere can open an X window on your screen. \layout Itemize local : Only people connected at localhost may open an X window on your screen. \layout Itemize none : Nobody can do that. \layout Subsection User in audio group \layout Standard Each user is a member of the \begin_inset Quotes eld \end_inset audio \begin_inset Quotes erd \end_inset group. That means that every user connected to the system is given access to sound card. \layout Subsection . in $PATH \layout Standard the \begin_inset Quotes eld \end_inset . \begin_inset Quotes erd \end_inset entry is added to $PATH environment variable, allowing execution of programs within the current working directory. \layout Subsection Warning in /var/log/security.log \layout Standard Each warning issued by msec is logged into \begin_inset Quotes eld \end_inset /var/log/security.log \begin_inset Quotes erd \end_inset . \layout Subsection Warning directly on tty \layout Standard Each warning issued by msec is directly printed on current console. \layout Subsection Warning in syslog \layout Standard Warnings of msec are directed to syslog service. \layout Subsection Warning sent by mail to root \layout Standard Warnings issued by msec are also sent by mail to root. \layout Subsection Suid root file check \layout Standard Check for new or removed suid root files on the system. If such files are encountered a list of these files is issued as a warning. \layout Subsection Suid root file md5sum check \layout Standard Checks the md5sum signature of each suid root file that is on the system. If the signature has changed, it means that a modification has been made to this program, probably a backdoor. A warning is then issued. \layout Subsection Writable file check \layout Standard Check wether files are world writable on the system. If so, issues a warning containing the list of these naughty files. \layout Subsection Permissions check \layout Standard This one checks permissions for some special files such as .netrc or user's config files. It also checks permissions of users home dir. If their permissions are too loose or owners unusual, it issues a warning. \layout Subsection Suid group file check \layout Standard Check for new or removed suid group files on the system. If such files are encountered, a list of these files is issued as a warning. \layout Subsection Unowned file check \layout Standard This check searches for files owned by users/groups(or more accurately by uids/gids) not known into /etc/password, If such files are found, the owner is automatically changed to user/group \begin_inset Quotes eld \end_inset nobody \begin_inset Quotes erd \end_inset . \layout Subsection Promiscuous check \layout Standard This test checks every ethernet card to determine wether they are in promiscuous mode. This mode allows the card to intercept every packet received by the card, even those that are not directed to it. It may mean that a sniffer is running on your machine. \layout Standard Note that this check is setted up to be run every minute. \layout Subsection Listening port check \layout Standard Issues a warning with all listening ports. \layout Subsection Passwd file integrity check \layout Standard Verify that each user has a password ( no blank password) and if it is shadowed. \layout Subsection Shadow file integrity check \layout Standard Verify that each user into the shadow file has a password ( no blank password). \layout Subsection System security check every midnight \layout Standard All previous checks will be performed everyday at midnight. This relies on the addition of cron scripts in crontab file. \layout Subsection All system events additionally logged to /dev/tty12 \layout Standard *All* system messages directed to syslog are copied to tty12 console. \layout Subsection Only root can \begin_inset Quotes eld \end_inset ctrl-alt-del \begin_inset Quotes erd \end_inset \layout Standard Root (or a user referenced into /etc/shutdown.allow) must be logged into a console for the key binding \begin_inset Quotes eld \end_inset ctrl-alt-del \begin_inset Quotes erd \end_inset having effect. If no privileged user is logged, nothing happens when someone uses \begin_inset Quotes eld \end_inset ctrl-alt-del \begin_inset Quotes erd \end_inset . \layout Subsection Services not known disabled \layout Standard All services not contained into \begin_inset Quotes eld \end_inset /etc/security/msec/server.4 \begin_inset Quotes erd \end_inset for level 4 or \begin_inset Quotes eld \end_inset server.5 \begin_inset Quotes erd \end_inset for level 5 will be disabled. They are not removed, but simply not started when loading a runlevel. If you need some of them, just add them again with the \begin_inset Quotes eld \end_inset chkconfig \begin_inset Quotes erd \end_inset utility (you might also need to restart them with init scripts in /etc/rc.d/init. d/ ). \layout Subsection Boot password \layout Standard Allows you to setup a password for Lilo. Prevents (unexperienced) people from rebooting the machine, but in the other hand, the machine won't be able to reboot by itself. \layout Subsection Grant connection to \layout Itemize all : All computers are allowed to connect to open ports. \layout Itemize local : Only the localhost is allowed to connect to open ports. \layout Itemize none : No computers are allowed to connect to open ports. \layout Section ToDo \layout Standard - Automatic tty locking ( unlock by passwd ) after X time of inactivity. \layout Standard - In high security level, only user having access to group "sugrp" can use the su command. \layout Section Author \layout Standard Vandoorselaere Yoann \the_end